Post navigation

Heartbleed Bug Demonstrates Deep Vulnerabilities of the Web

If you haven’t yet heard, a massive vulnerability in a key piece of security software was announced this week. Researchers call it the Heartbleed bug.

Simply put, it is not your fault. Web servers at banks, airlines, and shopping sites use a type of encryption called Secure Sockets Layer or SSL. Your browser will display a lock icon in the address bar and maybe even change colors to green demonstrating you have a secure connection. Many websites use a piece of Open Source software, meaning nobody owns it and everyone can see the code, called OpenSSL.

OpenSSL is where the vulnerability was found. The problem is that 2/3 of all internet sites using SSL to secure the communication between your browser and their server use OpenSSL.

Why is that a problem? This bug means hackers can intercept what is supposed to be encrypted information between your browser and the bank’s server. In other words, what is supposed to be unreadable is readily readable to criminals.

And it gets worse.

In the past 24 hours or so word has leaked out that the core equipment used for the internet itself and most corporate networks has this bug too. According to Network World, Cisco and Juniper routers are affected.

This is where it gets really ugly.

Fixing the OpenSSL bug on a website is relatively easy and the majority of websites have already put in the patches. Tracking down every router, taking it offline, and installing patches from the vendors is a very time consuming and difficult process that might take months.

Initially I wasn’t too concerned about you and me. This latest round of news truly has me worried and you need to take action now.

I am now suggesting to you and everyone you know that you take the time to change your password on every bank, shopping, travel, etc. website where you transact business with username/password and/or credit card information.

And then do it again in a week and then again in a month.

Too difficult to remember all of your passwords? There are tools to help you besides sticky notes on the side of your monitor.

Protect your passwords using software like Password Safe, 1Password, or pwSafe. Those applications are a securely encrypted safe in which to store all of your passwords. Use the random password generator in the software for creating your passwords.

When you use software like those three, use an entire password phrase as the master password. Something you can remember like the old “The quick brown fox jumps over the lazy dog”, but make sure to use spaces and capital letters, even use the quotation marks if you’d like.

Here are some basic rules:
• Always use a password, never let a password be blank
• Always change a password immediately after receiving one that was given to you
• Use as many characters as possible when creating a password, don’t just use eight use 16 or 20 or more
• Use different passwords everywhere, at least for sensitive information like banks or anywhere they might store your credit card information

UPDATE 4/12/14 11:30 PDT – McAfee has a handy tool for testing websites for the Heartbleed vulnerability. You can use it to test a site you might visit BEFORE you go to the website. Click HERE for McAfee’s tool